When a cardholder’s data is collected to process a transaction, this amounts to processing of personal data as defined under the UK GDPR, and storing or transmitting such information would also amount to processing of such data.
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard administered by the Payment Card Industry Security Standards Council. As per the PCI DSS, all service providers and merchants that process, transmit or store card holder data must comply with this standard.
Therefore any organisation processing such information would be required to comply with the requirements of the UK GDPR as well as the PCI DSS.
Data Protection considerations when processing cardholder information:
- Cardholder data should be stored in line with UK GDPR principles of data minimisation, retention, and disposal. The PCI DSS does not define a fixed time for which such details must be stored, therefore, they should be stored only as long as it is necessary for business needs, after which it should be securely destroyed.
- The PIN or full CVV data of cards should not be stored (even when such information is collected at a checkout process).
- Encryption of data would play an important role in protecting the information and contribute to strong data security measures required for storing such information
- Access control should be practiced in organisations processing such information. Access should be granted on a ‘need to know’ basis.
- Organisations must regularly test their systems to assess any risks in their processing activities
- Identify the lawful basis used to process such information, and make this information available to your data subjects via your privacy notice
- Organisations must have a robust data breach response plan when they process such information, as required by PCI DSS and UK GDPR
If you have any questions, or concerns, about collecting card holder data, do not hesitate to contact us on 0330 111 0013, or info@hope-may.com.
